Information Security Policy

Transcription

1 Simacan B.V. Information Security Policy 2015 Document Security Classification Document Reference Code Public ISMS-0007 Document Version Number 2 Document Draft Number 1 Document Author Document Owner Ruggero Montalto Simacan B.V.

2 Table of contents 1. Introduction 2. Information Security Policy 2.1. Scope 2.2. Information Security Objectives 2.3. Information Security Principles 2.4. Responsibilities 2.5. Key Outcomes 2.6. Related Policies 3. Privacy Policy for Employees 4. Privacy Policy for Clients 5. Acceptance 6. Document Revision History 7. Document Review 8. Document Distribution 9. Document Approval 2

3 1. Introduction Information should always be protected, whatever its form and however it is shared, communicated or stored. Simacan has many critical information assets which are crucial in conducting business, maintaining clients' trust, and keeping the future of the company strong. The present policy outlines Simacan's commitments to its employees, its clients, and its suppliers, regarding how all business-critical information assets will be handled by Simacan. Information can be sensitive by its nature, and can also be sensitive due to regulations and industry standards. Sensitive information can include: clients' information, financial information, business records and planning materials, copyrighted materials, both which Simacan creates and those which Simacan obtains under license from others, company patents, business plans, and several other types of intellectual property. Information may reside on Simacan's computing (cloud) systems, online and offline, it may traverse the networks, be on paper, or even be in people s minds. All these locations must be properly controlled. The rules by which information is handled are determined by laws and regulations, business requirements, and the commitments Simacan undergoes with its clients and employees. Every Simacan employee, every client, every supplier, must be aware of the significance of the information being handled, and ensure that proper controls are applied to prevent unauthorized disclosure, loss or lack of accessibility to the information. This Information Protection policy is a part of the overall security and privacy effort carried out by Simacan. Other policies and controls may also apply, these are available in the Handbook of Information Security and on the company s backoffice. Penalties for violating these policies may include disciplinary actions up to termination of employment, or termination of the business relationship with Simacan. Simacan relies upon employees, clients, and suppliers to properly develop, maintain, and operate its systems, networks, and processes which keep sensitive information safe and properly used. This means that every person and organization handling Simacan's information has the responsibility to keep the information safe, no matter where the information is located. This includes computing systems, networks, paper copies, business processes, and verbal transmission of information. 3

4 2. Information Security Policy 2.1. Scope This policy supports Simacan s general security policy and applies to all of the organization as well as to external parties who are stakeholders in the activities of Simacan s Information Security Management System. Simacan will meet all applicable requirements in properly protecting the information, including laws, regulations, industry standards, and contractual commitments with employees, clients, and suppliers Information Security Objectives Ensure the continuous improvement of the Simacan product lifecycle procedures. Create awareness about risk governance and security control effectiveness. Preserve good information security practices already in place. Increase the market value and prominence of the Simacan Control Tower Information Security Principles 1. Simacan tolerates risks that might not be tolerated in conservatively managed organizations, provided that information risks are understood, monitored, and treated when necessary. 2. All Simacan employees will be made aware and accountable for information security as relevant aspect of their job-role. 3. Provisions will be made for funding information security controls in operational and project management processes. 4. The possibility of dangerous, abusive, or malicious use associated with information systems will be taken into account in the overall management of information systems. 5. Information security status reports will be available. 6. Information security risks will be monitored and action taken when changes result in risks that are not acceptable. 7. Systematic criteria for risk classification and risk acceptability will be adopted in Simacan's ISMS. 8. Situations that could place the organization in breach of laws and statutory regulations will not be tolerated and will always result in immediate action towards a solution Responsibilities 1. Simacan s Top Management is responsible for ensuring that information security is adequately addressed throughout the organization. 2. CEO, CTO, and CPO are responsible for ensuring that all people working under their control protect information in accordance with the policies, the procedures, and the standards embraced by Simacan. 3. CISO advises Top Management concerning information security related matters, provides support and training for the employees, and ensures that information security status reports are available. 4. Every Simacan employee undergoes information security responsibilities as part of their employment contract with Simacan Key Outcomes 1. Concerns about information security will not adversely affect the client s 4

5 acceptance of Simacan s products. 2. Information security incidents will not result in serious disruptions of service for the clients or business activities for Simacan. 3. Information security incidents will not result in serious unexpected costs. 4. Losses will be known and will be kept within acceptable bounds. 5. Continual improvement of the information security management system Related Policies The protections Simacan applies to information assets will be in proportion to the value and sensitivity of the information, and will balance the sensitivity of the information against the impact of the controls on the effectiveness of business operations and the risks of disclosure, modification, destruction, or unauthorized use of the information. Simacan will protect all types of sensitive information, and will ensure that these controls are accepted by all employees, clients, suppliers, service providers, representatives and associates of our company who may have access to our information. This includes ensuring that all personnel at all levels are aware of, and are held accountable for safeguarding information assets. Simacan will ensure that access to information is controlled, and based upon, job function and need-to-know criteria, and will maintain proper business continuity and security procedures, including information systems, networks, resources, and business processes. Simacan will comply with other related policies, regulations and laws, including the Dutch and the European privacy policies, and will report any suspected or actual breach of these policies, and will cooperate with investigative agencies. The following detailed policies provide principles and guidance on specific aspects of information security. 1. Simacan's Handbook of Information Security; 2. Simacan's Handbook of Internal Procedures. 5

6 3. Privacy Policy for Employees Simacan values each employee, and so has a commitment to protect the personal information which it handles on behalf of the employee. It is Simacan's policy that: Simacan will collect only that information about employees which is needed and relevant. Simacan will strive to make certain that personal information about employees is kept accurate and up-to-date. Simacan will use appropriate controls to ensure that this information is kept secure, and is only viewed or used by the proper personnel. Information about employees will not be disclosed to any external parties unless appropriate. Employees will be told how they can review information about them, make updates, and report problems. Simacan will comply with applicable laws, regulations, and industry standards when protecting employee information. Simacan holds her employees, vendors, contractors, suppliers, and trading partners to meet this same set of policies. 4. Privacy Policy for Clients It is a part of Simacan s core values that Simacan will properly value and protect any information entrusted to it about its clients. This policy describes how we will safeguard personal and company information, to ensure peace of mind when dealing with Simacan. It is Simacan's policy that: Simacan will collect only that information about clients which is needed and relevant. Simacan will not disclose information to other parties unless customers have been properly notified of such a disclosure. Simacan will strive to make certain that information about customers is kept accurate and up-to-date. Simacan will use appropriate controls to ensure that this information is kept secure, and is only viewed or used by the proper personnel. Simacan will comply with applicable laws, regulations, and industry standards when protecting employee information. Simacan holds its employees, vendors, contractors, suppliers, and trading partners to meet this same set of policies. 6

7 5. Acceptance I have read and understood the Company s security and privacy policies. Date: Place: Signed: 7

8 6. Document Revision History Version number Draft number Date Summary of Changes First version Major draft review in line with the new product-centric business strategy Ready for review Section 2.2 Information Security Objectives 7. Document Review Date of Review Reviewer Felix Faassen Martijn Loot 8. Document Distribution Name Role 9. Document Approval Name Date Signature Rob Schuurbiers Felix Faassen Martijn Loot 8